We use the Backus-Naur Form to denote the elements of our policy language. Square brackets, [ ], denote optional items and curly brackets, {}, surround items that can repeat zero or more times. A vertical line, |, separates alternatives. Items inside double quotes are the terminal symbols.
An ACL is specified according to the following format:
acl ::= {acl_entry}
acl_entry ::=
access_identity {access_identity} pos_access_rights {restriction}
{pos_access_rights {restriction}} |
access_identity {access_identity} neg_access_rights
access_identity ::=
access_identity_type def_authority value
access_identity_type ::=
"access_identity_HOST" |
"access_identity_USER" |
"access_identity_GROUP" |
"access_identity_APPLICATION" |
"access_identity_ANYBODY"
A capability is defined according to the following format:
capability ::=
grantor_identity pos_access_rights {restriction}
{pos_access_rights {restriction}}
grantor_identity ::=
grantor_identity_type def_authority value
grantor_identity_type ::= "grantor_identity_HOST" |
"grantor_identity_USER" |
"grantor_identity_GROUP" |
"grantor_identity_APPLICATION" |
"grantor_identity_ANYBODY"
pos_access_rights ::=
"positive_access_rights" def_authority value
{"positive_access_rights" def_authority value}
neg_access_rights ::=
"negative_access_rights" def_authority value
{"negative_access_rights" def_authority value}
restriction ::=
restriction_type def_authority value
restriction_type ::= alphanumeric_string
def_authority ::= alphanumeric_string
value ::= alphanumeric_string